Professional Liability, Errors & Ommissions, E&O

01/04/2011

Cloud Computing, it’s as if the term was coined just to keep insurance companies in a fog.

Early in 2010 I was introduced to Michael Abrahamsson. Michael is the CEO of Ilait, a market leading cloud computing and hosting wholesaler based in Sweden and a Board Member of Eurocloud. Ilait was looking to expand and deploy their services into the US and Michael had been referred to me to assist with placing insurance.

Insuring a provider of cloud computing services can be extremely difficult. Just communicating the exposure to insurance company underwriters who may not be familiar or understand the risk can be very challenging. Cloud computing typically consists of services such as Saas, utility computing, web services, platform as service, managed service providers, service commerce platforms, and internet integration. Exposure to loss comes in the form of business interruption/service interruption, data privacy breach/loss, and other financial loss due to the performance of service/product.

These are many of the same exposures to risk as most other technology organizations, but due to the nebulous nature of cloud computing, mitigating loss can be challenging. Communicating how an organization effectively manages this risk is what enables us to offer our clients the most competitive insurance premiums available.

However, organizations providing cloud computing services are not the only ones at risk. In fact, organizations that utilize cloud computing services must understand, and should consider contractually transferring this risk to the service provider, and/or insurance.

It is critical to understand that outsourcing cloud computing services is not the same as outsourcing or transferring risk. Be wary of cloud computing service contracts that include a hold harmless provision within the indemnity agreement that strongly favors the service provider. Furthermore, requiring adequate professional liability /E&O insurance limits can be challenging considering the significant number of other parties that may also be affected.

Finally, if utilizing cloud computing services be aware that your organization will be held responsible for State and Federal Laws related to data privacy and compliance to HIPAA, SOX, PCI and FISMA (for more information on data privacy you can read my article here). An indemnity agreement written or approved from your legal counsel is the first step to a strong risk management strategy, but if you are responsible for PII (Personal Identifiable Information), a comprehensive data privacy insurance policy should be strongly considered. Selecting a cloud computing service provider that has strong security controls and implementing strong contractual risk transfer will be reflected in lower insurance premiums.

Due to the significant amount of data being computed/ stored within the cloud, it will always be a target of fraud and abuse. However, the scalability, cost, and efficiency will inevitably lead to greater use. Taking the proper steps to mitigate loss and transfer risk via contract and/or through an insurance policy will reduce risk to an organizations balance sheet, and will make it much safer to harness the power of the cloud.

06/10/2010

You can’t attend a Human Resource, Marketing, or Legal conference these days without a discussion on social media.My wife and I have toddler age twin boys, and I relate social media for employers to organic chocolate milk… It's organic, has milk, and the brand we purchase even advertises DHA and Omega 3’s! Did I mention it was milk? Truth is, we limit the boys to one glass a week and they get plenty of exercise (running away from mom and dad).Similarly, Social Media for your organization is probably a good idea, but it’s important to put some policies and procedures in place and be consistent in your enforcement.

Social Media's dirty little secret? You and your employees are probably not covered by your General Liability policy.

I often peruse updates of organizations that I follow on a well known social networking/professional networking site. Recently I came across an individual commenting that he was considering organizing a flash mob as a way to raise awareness of his organizations industry. Basically, an individual responsible for organizational development and a vibrant social media user was gathering input on whether or not people would be willing to participate in an organized flash mob.A flash mob, as defined by wikipedia, is a large group of people who assemble suddenly in a public place, perform an unusual and pointless act for a brief time, and then quickly disperse.

While I thought it a great way to reach a specific demographic, I immediately cringed once I put on my risk management hat. I immediately started considering the impact of a recent FTC ruling and guidelines (FTC 16 CFR Part 255 Guides Concerning the Use of Endorsements and Testimonials in Advertising) related to potential liability imposed on employers for social media comments, regardless of the employers’ knowledge. While I doubt this industry group's flash mob would turn ugly similar to the event that occured in Philadelphia back in February of 2010 (a group of 150 teenagers involved in a flash mob leading to 16 arrests), I was concerned that lawsuits could be tendered to the employer of the organizer. And as we'll discuss, more than likely, this wouldn't be covered by the employers General Liability policy.

The landscape of business communication and the law governing social media is changing rapidly. It's important that employers speak with their attorney and understand the social media liability issues facing their organization.I would suggest that you consider reading an article published in The National Law Journal, “Social Media Permeate the Employment Lifecycle” . The liability facing employers is real, and It's worth noting that on March 16, 2010 the first lawsuit alleging unlawful conduct via social media due to a former employee's restrictive covenant was filed. In the lawsuit, TEKsystems sues three of its former employees and their new employer, Horizontal Integration, Inc. Also, another interesting lawsuit occured in 2009 when the owner of Pizza Kitchen was sued for defamation after posting disparaging remarks on Facebook about a marketing firm it was utilizing.

In the same ruling from the FTC above, they suggest that employers institute an appropriate policy governing social media participation by employees:

“if the employer has instituted policies and practices concerning ‘‘social media participation’’ by its employees, and the employee fails to comply with such policies and practices, the employer should not be subject to liability. The Commission agrees that the establishment ofappropriate procedures would warrant consideration in its decision”

"Companies are entitled to free speech, but their commercial speech is less protected. The lower protection comes in the form of a higher standard of care for truth and accuracy. So, when company employees participate in social media on behalf of their employer, they subject the company to the same risks as a newspaper or individual, but with less protection."

Furthermore, he suggests:

"In order to mitigate these risks, companies need to prepare their employees. A social media policy is part of that preparation. Such policies are about labor law, but also about advertising, marketing, public relations, product liability and other activities that carry legal implications."

So once you’ve committed the organization to the slippery slope of social media and have developed your policies and procedures, now it’s time to turn to the subject no one is talking about!Your General Liability policy will most likely NOT respond to a 3rd party claim or injury resulting from your blog or social media page.For example, the standard General Liability policy (ISO CG00 01 12 07) will exclude injury "arising out of an electronic chat room or bulletin board the insured hosts, owns, or over which the insured exercise control" (ISO CG00 01 12 07). As well as Personal and Advertising injury "arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights" (ISO CG00 01 12 07). This includes data privacy breaches and claims resulting from a data privacy breach. You will want to speak with your attorney to decide how a social media site that an employee owns or controls would be considered relative to a defamation lawsuit against your organization stemming from that employees "tweet", but I can say with confidence that most General Liability policies do not contemplate this risk.

So what is the solution?

Don't be caught by surprise! Twitter, Blogs, Facebook and other social media exposures are soon becoming just another part of an organizations daily operation.And while the organization may not be specifically involved in Social Media, what about your employees? Social Media needs to be carefully considered in your risk management program.

Insurance companies are well aware of this exposure and have developed innovative products to assist in covering this potential gap. Professional, Communications, Data Privacy & Media Liability policies, in many forms are available as endorsements or stand alone products and will compliment your enterprise wide risk management program. In many cases, coverage is relatively inexpensive with minimum annual premiums as low as $1,500.

03/22/2010

With the likes of Microsoft, Amazon, Real Networks, F5, Attachmate, and InfoSpace, it is never a surprise when Seattle garners a #1 ranking in a technology repor. But today Seattle gets the dubious distinction of being the most "Riskiest Online City" as reported by Symantec (Norton). You can read the report here.

09/01/2009

Recently CU Times reported that CUNA Mutual/CUMIS would be adapting its corporate bond program based on the impact the economy has had on CUNA Mutual/CUMIS bottom line performance. CUNA MUTUAL Article in CU Times

“Because financial condition has an impact on Bond and SIP losses, we have an obligation as a mutual company committed to credit unions to take certain actions and maintain our financial strength for all of our policy owners.”

But what exactly does that mean if you are insured by CUNA Mutual/CUMIS? It could mean that the terms and conditions within the policy will change or renewal premiums could be much higher. But it could also mean that Credit Unions could be declined renewal coverage by CUNA Mutual/CUMIS.

I believe that CUNA Mutual/CUMIS will incorporate a plan to do all three. With the recent downgrades and negative outlook ratings by AM Best and Fitch This is probably a reaction by CUNA Mutual/CUMIS to strengthen a weakened financial position. Furthermore, should CUNA Mutual/CUMIS, continue to decline, many Credit Unions may be in breach of contract as many contracts require that insurance be placed with "A" rated insurance carriers. You'll note that recently the Federal Home Loan Bank of Boston decided to stop buying mortgages that have their primary insurance with CUNA Mutual Group Mortgage Insurance as a result of the Standard and Poor's July 29th downgrade from A to BBB+.

Credit Union's that purchase insurance directly from CUNA MUTUAL/CUMIS should start looking for alternatives today, as the marketplace is tough on financial institutions, and many brokers are unfamiliar with the specific needs of Credit Unions.

08/26/2009

An article I wrote on Data Privacy for Credit Union's was recently picked up by the largest Credit Union publication in the nation, CU Times and published today. It is widely regarded as the paper of record for the credit union industry.

The article discusses the criminal indictment of Albert Segvec Gonzalez, who was also the mastermind behind the TJX Breach. It also discusses the 30 civil lawsuits against Heartland Payment Systems by Financial Institutions, Consumers, and Investors. More than 650 Institutions were affected by the breach.

Furthermore the article provides some insight on the FTC case alleging Goal Financial did not sufficiently safeguard personal data and the penalties that resulted from that case.

Finally, the article highlights steps that financial institutions can take to insure and mitigate risk. Insurance products can be designed to pay regulatory fines and penalties, 3rd party lawsuits including member lawsuits, and expenses associated with the data breach including compliance to red flag rules.

07/30/2009

On July 28th a suit was filed by Horizon Group Management over a twitter post by one of its residents who tweets: "Who said sleeping in a moldy apartment was bad for you? Horizon realty thinks it's okay."

The suit claims that Bonnen "maliciously and wrongfully published the false and defamatory Tweet on Twitter, thereby allowing the Tweet to be distributed throughout the world,".

With so many organizations looking at utilizing social networking, blogging, and tweeting it is important to understand the risks involved. Possible Personal and Advertising injury as well as Intellectual Property Infringement can easily occur by employees tweeting and blogging on behalf of your organization.

Furthermore, most commercial insurance policies will exclude Personal and Advertising injury "arising out of an electronic chat room or bulletin board the insured hosts, owns, or over which the insured exercise control" (ISO CG00 01 12 07). As well as Personal and Advertising injury "arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights" (ISO CG00 01 12 07).

Insurance companies are well aware of this exposure and have developed innovative products to assist in covering this potential gap. Professional, Communications, & Media Liability policies, in many forms are available as endorsements or stand alone products and will compliment your enterprise wide risk management program. In many cases, coverage is relatively inexpensive with minimum premiums as low as $2,000.

Don't be caught by surprise! Twitter, Blogs, Facebook and other social media exposures are soon becoming just another part of an organizations daily operations, and should be carefully considered in your risk management program.

There is a great article from the financial post on the personal liability of tweeting that you can find here:

07/28/2009

In today’s data age, almost all organizations store some form of private or confidential information, whether it is employees, customers, or information obtained from vendors. Since 2005 more than 200 million records containing sensitive personal information have been reported in a security breach in the United States.

The costs associated with notification and the liability that is arising out of privacy and security matters is costing millions of dollars to organizations of all sizes and types. One insurance carrier recently produced a data loss calculator that estimates that on average the costs associated with data loss are about $166 per record. It also provides information on pending class action lawsuits where plaintiffs are requesting $1 million to $21 million per person for damages due to data loss.